fix: Address PR review feedback for RegistrationGuard SPI

- Default deny reason to "Registration denied." when null/blank
- Add INFO logging on guard denial in UserAPI, DSOAuth2UserService,
  DSOidcUserService
- Add startup log in RegistrationGuardConfiguration when default
  guard is registered
- Remove unnecessary @ExtendWith(MockitoExtension.class) from
  DefaultRegistrationGuardTest and RegistrationDecisionTest
- Replace inline Mockito.mock() with @mock field in
  UserAPIRegistrationGuardTest
- Add tests for null/blank deny reason defaulting
- Update REGISTRATION-GUARD.md troubleshooting to reference actual
  log messages, document error code 6

Author: devondragon

REGISTRATION-GUARD.md

@@ -154,8 +154,12 @@ When a guard denies a registration, the behavior depends on the registration pat
 | **OAuth2** | `OAuth2AuthenticationException` with error code `"registration_denied"` — handled by Spring Security's OAuth2 failure handler |
 | **OIDC** | `OAuth2AuthenticationException` with error code `"registration_denied"` — handled by Spring Security's OAuth2 failure handler |
 
+The JSON error code `6` identifies a registration guard denial specifically, distinguishing it from other registration errors (e.g., code `1` for validation failures, code `2` for duplicate accounts). Client-side code can check this code to display targeted messaging.
+
 For OAuth2/OIDC denials, customize the user experience by configuring Spring Security's OAuth2 login failure handler to inspect the error code and display an appropriate message.
 
+All denied registrations are logged at INFO level with the email, source, and denial reason.
+
 ## Key Constraints
 
 - **Single-bean SPI** — Only one `RegistrationGuard` bean may be active at a time. This is not a chain or filter pattern; define exactly one guard.
@@ -168,12 +172,8 @@ For OAuth2/OIDC denials, customize the user experience by configuring Spring Sec
 **Guard Not Activating**
 - Ensure your guard class is annotated with `@Component` (or otherwise registered as a Spring bean)
 - Verify the class is within a package that is component-scanned by your application
-- Check that `DefaultRegistrationGuard` is being replaced — enable debug logging:
-  ```yaml
-  logging:
-    level:
-      com.digitalsanctuary.spring.user.registration: DEBUG
-  ```
+- At startup, the library logs `"No custom RegistrationGuard bean found — using DefaultRegistrationGuard (permit-all)"` at INFO level. If you see this message, your custom guard bean is not being detected.
+- You can also check the active guard via `/actuator/beans` (if enabled) or your IDE's Spring tooling.
 
 **Multiple Guards Defined**
 - Only one `RegistrationGuard` bean is allowed. If multiple beans are defined, Spring will throw a `NoUniqueBeanDefinitionException` at startup.

src/main/java/com/digitalsanctuary/spring/user/api/UserAPI.java

@@ -112,6 +112,7 @@ public ResponseEntity<JSONResponse> registerUserAccount(@Valid @RequestBody User
 			RegistrationDecision decision = registrationGuard.evaluate(
 					new RegistrationContext(userDto.getEmail(), RegistrationSource.FORM, null));
 			if (!decision.allowed()) {
+				log.info("Registration denied for email: {} source: FORM reason: {}", userDto.getEmail(), decision.reason());
 				return buildErrorResponse(decision.reason(), 6, HttpStatus.FORBIDDEN);
 			}
 
@@ -409,6 +410,7 @@ public ResponseEntity<JSONResponse> registerPasswordlessAccount(@Valid @RequestB
 			RegistrationDecision decision = registrationGuard.evaluate(
 					new RegistrationContext(dto.getEmail(), RegistrationSource.PASSWORDLESS, null));
 			if (!decision.allowed()) {
+				log.info("Registration denied for email: {} source: PASSWORDLESS reason: {}", dto.getEmail(), decision.reason());
 				return buildErrorResponse(decision.reason(), 6, HttpStatus.FORBIDDEN);
 			}
 

src/main/java/com/digitalsanctuary/spring/user/registration/RegistrationDecision.java

@@ -25,6 +25,9 @@ public static RegistrationDecision allow() {
      * @return a denying decision with the given reason
      */
     public static RegistrationDecision deny(String reason) {
+        if (reason == null || reason.trim().isEmpty()) {
+            reason = "Registration denied.";
+        }
         return new RegistrationDecision(false, reason);
     }
 }

src/main/java/com/digitalsanctuary/spring/user/registration/RegistrationGuardConfiguration.java

@@ -4,18 +4,22 @@
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 
+import lombok.extern.slf4j.Slf4j;
+
 /**
  * Auto-configuration for the {@link RegistrationGuard} SPI.
  *
  * <p>Registers a {@link DefaultRegistrationGuard} (permit-all) when no custom
  * {@link RegistrationGuard} bean is defined by the consuming application.</p>
  */
+@Slf4j
 @Configuration
 public class RegistrationGuardConfiguration {
 
     @Bean
     @ConditionalOnMissingBean(RegistrationGuard.class)
     public RegistrationGuard registrationGuard() {
+        log.info("No custom RegistrationGuard bean found — using DefaultRegistrationGuard (permit-all)");
         return new DefaultRegistrationGuard();
     }
 }

src/main/java/com/digitalsanctuary/spring/user/service/DSOAuth2UserService.java

@@ -107,6 +107,8 @@ public User handleOAuthLoginSuccess(String registrationId, OAuth2User oAuth2User
             RegistrationDecision decision = registrationGuard.evaluate(
                     new RegistrationContext(user.getEmail(), RegistrationSource.OAUTH2, registrationId));
             if (!decision.allowed()) {
+                log.info("Registration denied for email: {} source: OAUTH2 provider: {} reason: {}",
+                        user.getEmail(), registrationId, decision.reason());
                 throw new OAuth2AuthenticationException(
                         new OAuth2Error("registration_denied"), decision.reason());
             }

src/main/java/com/digitalsanctuary/spring/user/service/DSOidcUserService.java

@@ -97,6 +97,8 @@ public User handleOidcLoginSuccess(String registrationId, OidcUser oidcUser) {
             RegistrationDecision decision = registrationGuard.evaluate(
                     new RegistrationContext(user.getEmail(), RegistrationSource.OIDC, registrationId));
             if (!decision.allowed()) {
+                log.info("Registration denied for email: {} source: OIDC provider: {} reason: {}",
+                        user.getEmail(), registrationId, decision.reason());
                 throw new OAuth2AuthenticationException(
                         new OAuth2Error("registration_denied"), decision.reason());
             }

src/test/java/com/digitalsanctuary/spring/user/api/UserAPIRegistrationGuardTest.java

@@ -70,6 +70,9 @@ class UserAPIRegistrationGuardTest {
     @Mock
     private RegistrationGuard registrationGuard;
 
+    @Mock
+    private WebAuthnCredentialManagementService webAuthnService;
+
     @InjectMocks
     private UserAPI userAPI;
 
@@ -155,7 +158,6 @@ void shouldRejectPasswordlessRegistrationWhenGuardDenies() throws Exception {
             dto.setFirstName("Test");
             dto.setLastName("User");
 
-            WebAuthnCredentialManagementService webAuthnService = org.mockito.Mockito.mock(WebAuthnCredentialManagementService.class);
             when(webAuthnCredentialManagementServiceProvider.getIfAvailable()).thenReturn(webAuthnService);
             when(registrationGuard.evaluate(any(RegistrationContext.class)))
                     .thenReturn(RegistrationDecision.deny("Beta access required"));
@@ -183,7 +185,6 @@ void shouldAllowPasswordlessRegistrationWhenGuardAllows() throws Exception {
                     .disabled()
                     .build();
 
-            WebAuthnCredentialManagementService webAuthnService = org.mockito.Mockito.mock(WebAuthnCredentialManagementService.class);
             when(webAuthnCredentialManagementServiceProvider.getIfAvailable()).thenReturn(webAuthnService);
             when(registrationGuard.evaluate(any(RegistrationContext.class)))
                     .thenReturn(RegistrationDecision.allow());

src/test/java/com/digitalsanctuary/spring/user/registration/DefaultRegistrationGuardTest.java

@@ -4,10 +4,7 @@
 
 import org.junit.jupiter.api.DisplayName;
 import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
-import org.mockito.junit.jupiter.MockitoExtension;
 
-@ExtendWith(MockitoExtension.class)
 @DisplayName("DefaultRegistrationGuard Tests")
 class DefaultRegistrationGuardTest {
 

src/test/java/com/digitalsanctuary/spring/user/registration/RegistrationDecisionTest.java

@@ -4,10 +4,7 @@
 
 import org.junit.jupiter.api.DisplayName;
 import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
-import org.mockito.junit.jupiter.MockitoExtension;
 
-@ExtendWith(MockitoExtension.class)
 @DisplayName("RegistrationDecision Tests")
 class RegistrationDecisionTest {
 
@@ -28,4 +25,22 @@ void shouldCreateDenyDecision() {
         assertThat(decision.allowed()).isFalse();
         assertThat(decision.reason()).isEqualTo("Invite code required");
     }
+
+    @Test
+    @DisplayName("Should default reason when deny is called with null")
+    void shouldDefaultReasonWhenNull() {
+        RegistrationDecision decision = RegistrationDecision.deny(null);
+
+        assertThat(decision.allowed()).isFalse();
+        assertThat(decision.reason()).isEqualTo("Registration denied.");
+    }
+
+    @Test
+    @DisplayName("Should default reason when deny is called with blank string")
+    void shouldDefaultReasonWhenBlank() {
+        RegistrationDecision decision = RegistrationDecision.deny("   ");
+
+        assertThat(decision.allowed()).isFalse();
+        assertThat(decision.reason()).isEqualTo("Registration denied.");
+    }
 }